Legal claims defining the scope of protection. Each claim is shown in both the original legal language and a plain English translation.
1. A computer-implemented method for operating a user device having at least a trusted application and an external application installed on the user device, the method comprising: operating the trusted application to obtain registration credentials which are configured to be entered by a user to log in to a secured function of the external application, wherein the trusted application is in a Trusted Execution Environment of the user device and the external application is on the user device and outside the Trusted Execution Environment; causing the trusted application to store the registration credentials with an identifier of the external application and/or the secured function; receiving an indication that the user requires access to the secured function which can only be accessed following validation of an identity of the user; performing a biometric validation of the identity of the user based at least in part on data collected from a biometric sensor associated with the user device, the biometric validation being performed within the Trusted Execution Environment; and in response to said performing the biometric validation, causing authentication credentials to be passed from the trusted application to the secured function of the external application to obtain access to the secured function, wherein the authentication credentials are based on the registration credentials.
This invention relates to secure authentication systems for user devices, specifically addressing the challenge of protecting sensitive credentials while enabling seamless access to external applications. The method involves a trusted application operating within a Trusted Execution Environment (TEE) on a user device, separate from an external application running outside the TEE. The trusted application obtains and securely stores registration credentials entered by a user to log in to a secured function of the external application, associating these credentials with an identifier of the external application or its secured function. When the user requests access to the secured function, the system performs biometric validation within the TEE using data from a device-associated biometric sensor. Upon successful validation, the trusted application generates authentication credentials derived from the stored registration credentials and passes them to the external application's secured function, granting access without exposing the original credentials. This approach enhances security by isolating sensitive operations within the TEE while maintaining usability for external applications.
2. The method of claim 1 , wherein either: said authentication credentials comprise at least some of the registration credentials; or the method further comprises the trusted application processing at least some of the registration credentials, optionally together with input from the external application, to produce said authentication credentials.
This invention relates to a method for securely authenticating a user within a computing environment, particularly where a trusted application interacts with an external application to verify user identity. The problem addressed is ensuring secure and efficient authentication while minimizing redundant data entry or storage. The method involves a trusted application receiving registration credentials from a user during an initial registration process. These credentials may include biometric data, passwords, or other identifiers. During subsequent authentication attempts, the trusted application either directly uses some of the registration credentials as authentication credentials or processes the registration credentials—optionally combined with additional input from the external application—to generate authentication credentials. This approach reduces the need for separate authentication data storage while maintaining security. The method ensures that authentication remains tied to the original registration process, enhancing trust and reducing the risk of credential mismanagement. The solution is particularly useful in systems where multiple applications require consistent authentication without duplicating credential storage or processing.
3. The method of claim 1 , wherein the external application resides in at least one of a Secure Element and a Rich Execution Environment.
This invention relates to secure execution environments for external applications in mobile devices. The problem addressed is ensuring secure execution of applications while allowing flexibility in deployment across different secure environments. The invention provides a method for executing an external application in a mobile device, where the application is configured to run in at least one of a Secure Element (SE) or a Rich Execution Environment (REE). The Secure Element is a tamper-resistant hardware component designed to securely store and process sensitive data, such as payment credentials or biometric information. The Rich Execution Environment is a software-based environment that provides a higher level of security than the main operating system but is less restricted than a Secure Element. The method involves determining the execution environment available on the mobile device and then loading and executing the external application in the appropriate environment. If both environments are available, the method may prioritize the Secure Element for higher security requirements or the REE for applications needing more computational resources. The invention ensures that applications are executed in the most suitable secure environment based on their requirements and the device's capabilities, enhancing both security and functionality.
4. The method of claim 1 , further comprising: receiving the authentication credentials at the external application; operating the external application to validate the authentication credentials; and operating the external application to provision of access to the secured function to the user.
This invention relates to authentication systems for securing access to functions within external applications. The problem addressed is the need for secure and efficient authentication processes that allow users to access protected functions in external applications while maintaining security and usability. The method involves receiving authentication credentials from a user at an external application. These credentials are then validated by the external application to verify the user's identity. Upon successful validation, the external application grants the user access to a secured function, enabling them to perform the desired operation. The authentication process ensures that only authorized users can access sensitive functions, enhancing security while providing seamless access for legitimate users. The method may also include additional steps such as generating authentication tokens or session keys to facilitate secure access. The system ensures that authentication is performed within the external application itself, reducing reliance on external authentication services and improving efficiency. This approach is particularly useful in environments where direct integration with external authentication systems is not feasible or desirable.
5. A computer-implemented method for operating a user device having at least a trusted application and an external application operating on the user device, the method comprising: operating the trusted application to obtain a biometric validation of an identity of a user based at least in part on data collected from a biometric sensor of the user device, the trusted application stored in a Trusted Execution Environment of the user device and the biometric validation being performed within the Trusted Execution Environment of the user device; and in response to said obtaining the biometric validation, operating the trusted application to pass a user identity validation message over a secure channel to an interface application of a Secure Element on the user device configured to communicate with the external application that resides in the Secure Element outside of said Trusted Execution Environment on the user device, in response to obtaining an indication that the user requires access to said secured function, directing, by the interface application, a biometric authentication message towards the external application, the external application having the secured function which can only be accessed following validation of the identity of the user.
This invention relates to secure user authentication in computing devices, specifically for enabling access to secured functions within an external application while leveraging a trusted application operating in a Trusted Execution Environment (TEE). The problem addressed is ensuring secure and isolated biometric authentication for external applications that require user identity validation but operate outside the TEE. The method involves a user device with at least a trusted application and an external application. The trusted application, stored in the TEE, obtains biometric validation of a user's identity using data from a biometric sensor, with the validation process occurring entirely within the TEE. Upon successful validation, the trusted application sends a user identity validation message over a secure channel to an interface application in a Secure Element (SE) on the device. The SE communicates with the external application, which resides outside the TEE. The interface application then directs a biometric authentication message to the external application, allowing access to a secured function only after the user's identity is validated. This approach ensures that sensitive authentication processes remain isolated within the TEE while enabling secure access to functions in external applications.
6. The method of claim 5 , further comprising the external application receiving the biometric authentication message and, subsequent to receiving of the biometric authentication message, providing the user with access to the secured function.
This invention relates to biometric authentication systems, specifically methods for securely granting access to a function based on biometric verification. The problem addressed is ensuring secure and user-friendly authentication in digital systems, particularly where traditional password-based methods are vulnerable or inconvenient. The method involves an external application receiving a biometric authentication message, which is generated after a user's biometric data (e.g., fingerprint, facial recognition, or voiceprint) is verified against stored templates. Upon receiving this message, the external application grants the user access to a secured function, such as an application, service, or device feature. This step occurs only after successful biometric verification, ensuring that access is restricted to authorized users. The biometric authentication process may involve capturing the user's biometric data, comparing it to pre-registered templates, and generating a confirmation message if the match is successful. The external application then processes this message to enable access, enhancing security by eliminating reliance on passwords or PINs. This approach is particularly useful in environments where quick, secure authentication is required, such as mobile devices, financial transactions, or enterprise systems. The method ensures that only verified users can access sensitive functions, reducing the risk of unauthorized access.
7. The method of claim 5 , wherein the channel is secured by means of the trusted application and the interface application both having knowledge of a cryptographic key.
A system and method for secure communication between a trusted application and an interface application in a computing environment. The technology addresses the problem of unauthorized access and data interception during communication between applications, particularly in environments where sensitive data is exchanged. The solution involves establishing a secure communication channel between the trusted application and the interface application, where both applications share knowledge of a cryptographic key. This key is used to encrypt and decrypt data transmitted between the applications, ensuring confidentiality and integrity. The trusted application is a secure module that handles sensitive operations, while the interface application acts as an intermediary for external interactions. The cryptographic key may be pre-shared, dynamically generated, or derived from a secure key exchange protocol. The secure channel prevents eavesdropping and tampering by unauthorized parties, enhancing the overall security of the system. This approach is particularly useful in environments where applications must communicate securely, such as in financial transactions, authentication systems, or secure data processing. The method ensures that only authorized applications with the correct cryptographic key can participate in the communication, mitigating risks of data breaches and unauthorized access.
8. The method of claim 5 , wherein: one or both of the external application and the interface application are cardlets, and optionally if both of the external application and the interface application are cardlets, a further request is made through a Shared Interface Object.
This invention relates to a system for secure communication between applications in a computing environment, particularly where applications are implemented as cardlets. The problem addressed is the need for secure and efficient interaction between external applications and interface applications, especially when both are cardlets running in a constrained environment like a smart card or secure element. Cardlets are lightweight Java-based applications that operate within a Java Card environment, which has limited resources and strict security requirements. The invention describes a method where one or both of the external application and the interface application are cardlets. If both applications are cardlets, the communication is facilitated through a Shared Interface Object (SIO). The SIO acts as an intermediary, ensuring secure and standardized interaction between the cardlets. This approach allows for modular and scalable application design while maintaining security and compatibility within the Java Card framework. The use of cardlets and an SIO enables efficient resource management and reduces the risk of unauthorized access or data breaches. The method ensures that applications can communicate securely without exposing sensitive data or violating the security policies of the Java Card environment. This solution is particularly useful in applications requiring high security, such as financial transactions, authentication, or identity management.
9. The method of claim 5 , wherein the interface application is a cardlet having Global Platform Privilege indicating Cardholder Verification Method Management.
A system and method for managing cardholder verification methods (CVM) in a secure element, such as a smart card or embedded secure element in a mobile device, using a cardlet application with Global Platform Privilege. The technology addresses the need for secure and flexible management of authentication methods in payment or identification systems, ensuring compliance with industry standards while allowing dynamic updates to verification methods. The cardlet application operates within a secure environment and is granted elevated privileges under the Global Platform standard, enabling it to modify or update CVM configurations without requiring physical access to the card or secure element. This includes the ability to enable, disable, or reconfigure biometric, PIN, or other verification methods based on policy updates, security requirements, or user preferences. The system ensures that changes to CVM settings are performed securely, maintaining the integrity and confidentiality of the authentication process. The solution is particularly useful in payment systems, digital wallets, or access control systems where secure and dynamic management of authentication methods is required. By leveraging Global Platform Privilege, the system ensures that only authorized entities can modify CVM settings, preventing unauthorized changes that could compromise security. The approach also supports compliance with standards such as EMV, ensuring interoperability across different payment networks and devices.
10. The method of claim 5 , wherein the interface application is further configured to communicate with a further external application of the Secure Element outside of the Trusted Execution Environment, the further external application having a further secured function which can only be accessed following validation of the identity of the user; the method optionally further comprising the interface application directing a further biometric authentication message towards the further external application; said directing of said further biometric authentication message optionally being in response to one of the trusted application and the further external application obtaining an indication that the user requires access to said further secured function and subsequently directing a request for access to the further secured function towards the interface application; the method optionally further comprising the further external application receiving the further biometric authentication message and, subsequent to said receiving of the further biometric authentication message, providing the user with access to the further secured function.
This invention relates to secure authentication systems involving biometric verification for accessing functions within a Secure Element (SE) and external applications outside a Trusted Execution Environment (TEE). The problem addressed is ensuring secure access to sensitive functions in a computing environment where multiple applications may require user authentication. The system includes an interface application that facilitates communication between a trusted application within the TEE and an external application outside the TEE, both residing in the SE. The external application contains a secured function that can only be accessed after validating the user's identity. The interface application is configured to direct a biometric authentication message to the external application when access to the secured function is requested. This request may originate from either the trusted application or the external application, which detects the need for access and forwards a request to the interface application. Upon receiving the biometric authentication message, the external application grants the user access to the secured function. This ensures that sensitive operations are only performed after proper authentication, enhancing security in multi-application environments.
11. A user device having at least a trusted application and an external application operating thereon, the user device comprising: a processor; and a memory in communication with the processor, the memory storing program instructions, the processor operative with the program instructions to perform functions as follows: operating a trusted application to obtain a biometric validation of an identity of a user based at least in part on data collected from a biometric sensor of the user device, the trusted application stored in a Trusted Execution Environment of the user device and the biometric validation being performed within the Trusted Execution Environment of the user device; and in response to said obtaining the biometric validation, operating the trusted application to pass a user identity validation message over a secure channel to an interface application of a Secure Element on the user device configured to communicate with the external application that resides in the Secure Element outside of said Trusted Execution Environment on the user device, in response to obtaining an indication that the user requires access to said secured function, directing, by the interface application, a biometric authentication message towards the external application, the external application having the secured function which can only be accessed following validation of the identity of the user.
A user device includes a trusted application and an external application, both operating on the device. The device has a processor and memory storing program instructions to execute functions. The trusted application, stored in a Trusted Execution Environment (TEE), obtains biometric validation of a user's identity using data from a biometric sensor, with the validation performed within the TEE. Upon successful validation, the trusted application sends a user identity validation message over a secure channel to an interface application in a Secure Element (SE) of the device. The SE communicates with the external application, which resides outside the TEE. The interface application then directs a biometric authentication message to the external application, which contains a secured function that can only be accessed after the user's identity is validated. This system ensures secure access to sensitive functions by leveraging biometric authentication within a trusted environment before granting access to external applications. The TEE and SE work together to maintain security, with the TEE handling authentication and the SE managing access to secured functions in the external application.
Unknown
October 1, 2019
Browse 5M+ US patents with plain-English claim translations and AI-generated analysis.